splunk-appinspect inspect --max-messages foo app.tgz - Returns an error to the user and stops the run.

Check changes

Added check_that_extracted_splunk_app_contains_default_app_conf_file to check that the extracted Splunk App contains a default/app.conf file.

Added check_that_extracted_splunk_app_contains_default_app_conf_file_with_valid_version_number to check that the extracted Splunk App contains a default/app.conf file that contains an [id] or [launcher] stanza with a version property that is formatted as Major.Minor.Revision.

Added check_that_extracted_splunk_app_does_not_contain_invalid_directories to check that the extracted Splunk App does not contain any directories with incorrect permissions. Directories must have have the owner's permissions set to r/w/x (700) for all directories.

Added check_that_extracted_splunk_app_does_not_contain_prohibited_directories_or_files to check that the extracted Splunk App does not contain any directories or files that start with a ., or directories that start with __MACOSX.

Added check_that_splunk_app_package_extracts_to_directory to check that the compressed Splunk App extracts to a directory.

Added check_that_splunk_app_package_extracts_to_visible_directory to check that the compressed artifact extracts to a directory that does not start with a . character.

Added check_that_splunk_app_package_name_does_not_start_with_period to check that the Splunk app provided does not start with a . character.

Added check_no_default_stanzas to check that app does not contain any .conf files that create global definitions using the [default] stanza.

Added check_index_definition_does_not_contain_invoke_scripts_options to check that all index definitions does not contain invoke scripts options including: warmToColdScript, coldToFrozenScript, and vix.command.

Added check_setup_in_distributed_environment to check that the app can be setup on a distributed system after self-service.

Added check_lookup_csv_is_valid to check that .csv files are not empty, have at least two columns, have headers with no more than 4096 characters, do not use Macintosh-style (\r) line endings, have the same number of columns in every row, and contain only UTF-8 characters.

Added check_for_sched_saved_searches_earliest_and_latest_time to check that if a savedsearch.conf stanza contains scheduling options it does contain an earliest and latest time.

Added check_archived_files to check that any compressed archives within the main release that need extracting are explained in the app's documentation.

Added check_authentication_conf_does_not_have_bindDNPassword_property to check that stanzas in authentication.conf do not use the the bindDNpassword property.

Added check_authorize_conf_capability_not_modified to check that authorize.conf does not contain any modified capabilities.

Added check_audit_conf_black_list to check that app does not contain audit.conf, as it is prohibited in Splunk Cloud due to its ability to configure/disable cryptographic signing and certificates.

Added check_authentication_conf_black_list to check that app does not contain authentication.conf, as it is prohibited in Splunk Cloud due to its ability to configure LDAP authentication and could contain LDAP credentials in plain text.

Added check_crawl_conf_black_list to check that app does not contain crawl.conf as it was deprecated in Splunk 6.0 and as it allows Splunk to introspect the filesystem which is not permitted in Splunk Cloud.

Added check_datatypesbnf_conf_black_list to check that app does not contain datatypesbnf.conf, as it is prohibited in Splunk Cloud.

Added check_default_mode_conf_black_list to check that app does not contain default-mode.conf Inputcsvt is prohibited in Splunk Cloud because light forwarders and universal forwarders are not run in Splunk Cloud.

Added check_deployment_conf_black_list to check that app does not contain deployment.conf. Apps should leave deployment configuration up to Splunk administrators.

Added check_deploymentclient_conf_black_list to check that app does not contain deploymentclient.conf as it configures the deployment server client. Apps should leave deployment configurations to Splunk administrators.

Added check_instance_cfg_conf_black_list to check that app does not contain instance.cfg.conf. Apps should not configure server/instance specific settings.

Added check_literals_conf_black_list to check that app does not contain literals.conf. Apps should not alter/override text strings displayed in Splunk Web.

Added check_messages_conf_black_list to check that app does not contain messages.conf. Apps should not alter/override messages/externalized strings.

Added check_outputs_conf_black_list to check that app does not contain outputs.conf as forwarding is not permitted in Splunk Cloud.

Added check_pubsub_conf_black_list to check that app does not contain pubsub.conf as it defines a custom client for the deployment server. Apps should leave deployment configuration up to Splunk administrators.

Added check_segmenters_conf_black_list to check that app does not contain segmenters.conf. A misconfigured segmenters.conf can result in unsearchable data that could only be addressed by re-indexing and segmenters.conf configuration is system-wide.

Added check_server_conf_black_list to check that app does not contain server.conf is as it is prohibited in Splunk Cloud due to its ability to manipulate server settings that are incompatible in Splunk Cloud and can break ingestion.

Added check_serverclass_conf_black_list to check that app does not contain serverclass.conf as it defines deployment server classes for use with deployment server. Apps should leave deployment configuration up to Splunk administrators.

Added check_serverclass_seed_xml_conf_black_list to check that app does not contain serverclass.seed.xml.conf as it configures deploymentClient to seed a Splunk installation with applications at startup time. Apps should leave deployment configuration up to Splunk administrators.

Added check_source_classifier_conf_black_list to check that app does not contain source-classifier.conf as it configures system-wide settings for ignoring terms (such as sensitive data).

Added check_sourcetypes_conf_black_list to check that app does not contain sourcetypes.conf as it is a machine-generated file that stores source type learning rules. props.conf should be used to define sourcetypes.

Added check_splunk_launch_conf_black_list to check that app does not contain splunk-launch.conf as it defines environment values used at startup time. System-wide environment variables should be left up to Splunk administrators.

Added check_telemetry_conf_black_list to check that app does not contain telemetry.conf as it controls a Splunk-internal feature that should not be configured by apps.

Added check_user_seed_conf_black_list to check that app does not contain user-seed.conf as it is used to preconfigure default login and password information.

Added check_wmi_conf_black_list to check that app does not contain wmi.conf is as it is prohibited in Splunk Cloud due to its ability to configure Splunk to ingest data via Windows Management Instrumentation, which should be done via forwarder. Forwarders are not permitted in Splunk Cloud.

Added check_for_default_values_for_modviz to check the property defined in spec file of README/savedsearches.conf.spec if the property is defined in spec file and does not provide a default value in default/savedsearches.conf, this check should fail.

Added check_for_formatter_html_bad_nodes to check appserver/static/visualizations/<viz_name>/formatter.html for bad nodes that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.

Added check_for_formatter_html_comments to check appserver/static/visualizations/<viz_name>/formatter.html for comments that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.

Added check_for_formatter_html_css_expressions to check appserver/static/visualizations/<viz_name>/formatter.html for css expressions from all tags that are replaced by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.

Added check_for_formatter_html_inappropriate_attributes to check appserver/static/visualizations/<viz_name>/formatter.html for inappropriate attributes that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.

Added check_for_formatter_html_inline_style_attributes to check appserver/static/visualizations/<viz_name>/formatter.html for inline style attributes from all tags that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.

Added check_for_required_files_for_visualization to check that for each custom visualization stanza in default/visualizations.conf there is a matching directory in the appserver/static/visualizations/<visualization_name> directory.

Added check_for_visualizations_preview_png to check the required file appserver/static/visualizations/<viz_name>/preview.png exists for the visualization.

Added check_for_advanced_xml_web_conf_endpoints to check for Module System web.conf endpoints. The Module system was deprecated in Splunk 6.3 as part of the advanced XML deprecation. See: Module System User Manual.

Added check_web_conf to check that default/web.conf only defines [endpoint:] and [expose:] stanzas, with [expose:*] only containing pattern= and methods=.

Added check_web_conf_expose_patterns_have_restmap_matches to check that apps only expose web endpoints that are defined by the Splunk App within default/restmap.conf. Each default/web.conf [expose:] stanza should have the property pattern= which defines a url pattern to expose. Each url pattern exposed should correspond to a stanza within default/restmap.conf with a url pattern defined with the match= property, or for the case of [admin:] stanzas a combination of match= and members= properties.

v1.4.1 (2017-03-13)

This section of "What's new" details what has changed in version 1.4.1 of the Splunk AppInspect CLI tool and API:

Bug fix: Some users were encountering "ImportError: 'module' object has no attribute 'main'" when running splunk-appinspect in certain environments.

v1.4.0 (2017-02-28)

This section of "What's new" details what has changed in version 1.4.0 of the Splunk AppInspect CLI tool and API:

General improvements

AppInspect now generates a clear error when the app fails because default/app.conf is missing instead of silently failing.

Previously, if you used the "cloud" tag, the default bin/readme.txt file would be flagged for manual review. This has been removed and apps with just this file in the bin directory will not be flagged for manual review.

Checks for Automatic updates and platform specific binaries no longer report a manual check if the bin/ and architecture-specific binary directories are empty or non-existent. In these cases the checks will return not_applicable rather than manual_check.

Previously the check check_metadata_white_list returned a manual_check if there were non .meta files in the metadata directory. Now that check correctly returns a failure.

Checks in the ITSI group have been improved to reduce false positives. ITSI checks will now run only if the app is an ITSI module.

Previous versions of AppInspect returned an exit code that reflected the number of failed checks as the exit code for the app. AppInspect v1.3.0 and later changes this behavior that so that the exit code follows these rules:

If AppInspect completes correctly, it returns a error code 0 (zero).

If AppInspect has errors but completed the run, return an error code of 1.

If AppInspect has errors that prevent it from completing the run, return an error code of 2.

If AppInspect is provided an bundle without an app.conf file or the bundle isn't an app at all, return an error code of 3.

Empty local/ directories will no longer cause AppInspect to produce a manual_check result.

Refined check_for_questionable_commands to match with more accuracy, and a broader set.

Refined the check for verifying that the metadata directory only contains *.meta files to return a failure for each non-.meta file rather than a manual check, since these files should never be included.

Refined the check for default/limits.conf from a manual check to a failure if the file exists.

v1.3.1 (2016-11-21)

This section of "What's new" details what has changed in version 1.3.1 of the Splunk AppInspect CLI tool and API:

General improvements

Improved automated screening of apps for Splunk Cloud. Running the inspect command with the cloud tag will now indicate whether an app will need manual review before it can be installed in Splunk Cloud. For instance:

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »